Twitter pays $10,080 to Indian hacker for discovering Vine’s source code
Twitter paid $10,080 to Avinash Singh, an Indian white hat hacker, for discovering a security hole through Twitter’s Big Bounty program that allowed him to made vine’s source code publicly available.
As a sort of video-based micro-blogging platform, Twitter found Vine that allows users to upload 6-seconds of looping video.
The entire code for Vine was stored as part of a Docker image used to host the site. The server itself was on AWS (Amazon Web Services) and should have been private. Using Censys, Avinash discovered that the image was public and not private.
Avinash presented his findings to Twitter on 31 March and they fixed the issue within 5 minutes. In return, Avinash received $10,080 for his troubles.
“It’s third party keys, API keys and other secrets, even running the image without any parameter, was letting me host a replica of VINE locally,” Singh explained in his blog, called Whiskey Tango Foxtrot.
Singh, whose online handle is ‘avicoder’, also mentioned that he doesn’t intend to share Vine’s source code, and Twitter has already plugged the leak.
“I respect the NDA and fine line between black hat/white hat,” he wrote
|